July 14, 2026
Author: Hassan Mohammed Said Platform: PortSwigger Web Security Academy Difficulty: Easy…
Introduction
By HASSAN MOHAMMED SAID
2 min read
Author: Hassan Mohammed Said Platform: PortSwigger Web Security Academy Difficulty: Easy Category: SQL Injection (SQLi)
This is another SQL Injection lab from PortSwigger Web Security Academy that demonstrates how improper input handling in a login form can allow an attacker to bypass authentication.
In this lab, the login functionality is vulnerable to SQL Injection. By manipulating the username parameter, we can bypass the password verification process and log in as the administrator user.
The goal of the lab is:
Log in to the application as the administrator user.
Lab Description
The application contains a login page with two input fields:
Username
Password
Press enter or click to view image in full size
When a user attempts to log in, the application likely executes a SQL query similar to:
SELECT * FROM users WHERE username = 'administrator' AND password = 'password'
The application checks whether both the username and password are correct before granting access.
Understanding the Query
The login process works as follows:
SELECT * FROM users WHERE username='administrator' AND password='password'
If both conditions are true:
username='administrator' password='password'
the user is successfully authenticated.
Otherwise, the login attempt fails.
Identifying the Injection Point
After accessing the login page, I noticed that user input is directly used in the authentication process.
Username Parameter
The most common target for SQL Injection in login forms is the:
SQL Injection Payload
I entered the following payload in the username field:
administrator' — —
Password:
anything
or leave it blank.
Press enter or click to view image in full size
Resulting Query
The backend query becomes:
SELECT * FROM users WHERE username='administrator'- - AND password='anything'
Why Does This Work?
Step 1: The application receives:
administrator'- -
Which closes the original username string.
Step 2: The comment operator:
comments out the remaining portion of the SQL query.
Everything after it is ignored:
AND password='anything'
Step 3: The database effectively executes:
SELECT * FROM users WHERE username='administrator'
Since the password condition is removed, the application authenticates the user as administrator.
Outcome
The application logs in successfully as:
administrator
This completes the lab successfully.
Key Concepts Learned:
-
SQL Injection
-
Authentication Bypass
-
SQL Comments
-
Login Function Vulnerabilities
Prevention:
-
Parameterized Queries
-
Input Validation
-
Password Hashing
-
Least Privilege
-
Web Application Firewall (WAF)
Conclusion
This lab demonstrates a classic SQL Injection attack against a login form. By injecting:
administrator'- -
into the username field, we successfully bypassed the password verification process and gained access to the administrator account.
Final Note:
Thank you for reading my SQL Injection write-up. This lab helped me understand how a simple SQL Injection vulnerability can completely bypass authentication mechanisms and lead to unauthorized access. As I continue learning Web Application Security through PortSwigger Web Security Academy, I look forward to exploring more real-world vulnerabilities and sharing my learning journey.
Thank you for your time and support.